Re: [PATCH v4 3/5] Update security layer to handle many security labels

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Tue, 21 Aug 2012 11:47:47 +0100



On Tue, Aug 21, 2012 at 12:45:47PM +0200, Viktor Mihajlovski wrote:
> On 08/16/2012 12:10 AM, Marcelo Cerri wrote:
> 
> > -    if (!def->seclabels[0]->norelabel) {
> > -        def->seclabels[0]->imagelabel = virSecuritySELinuxGenNewContext(
> > -                                                    data->file_context, mcs);
> > -        if (!def->seclabels[0]->imagelabel)  {
> > +    if (!seclabel->norelabel) {
> > +        seclabel->imagelabel = virSecuritySELinuxGenNewContext(
> > +                                                    data->domain_context, mcs);
> > +        if (!seclabel->imagelabel)  {
> >               virReportError(VIR_ERR_INTERNAL_ERROR,
> >                              _("cannot generate selinux context for %s"), mcs);
> >               goto cleanup;
> >           }
> >       }
> > 
> > -    if (!def->seclabels[0]->model &&
> > -        !(def->seclabels[0]->model = strdup(SECURITY_SELINUX_NAME))) {
> > +    if (!seclabel->model &&
> > +        !(seclabel->model = strdup(SECURITY_SELINUX_NAME))) {
> >           virReportOOMError();
> >           goto cleanup;
> >       }
> 
> the patch breaks the object labelling again ... please apply the following patch to fix, thanks!
> 
> Image context must always use data->file_context.
> 
> Signed-off-by: Viktor Mihajlovski <mihajlov@xxxxxxxxxxxxxxxxxx>
> ---
>  src/security/security_selinux.c |    7 ++++---
>  1 files changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index eea8fbd..da2a9c4 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -450,9 +450,10 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
>      }
>  
>      if (!seclabel->norelabel) {
> -        seclabel->imagelabel = virSecuritySELinuxGenNewContext(data->domain_context,
> -                                                               mcs,
> -                                                               true);
> +        seclabel->imagelabel =
> +            virSecuritySELinuxGenNewContext(data->file_context,
> +                                            mcs,
> +                                            true);
>          if (!seclabel->imagelabel)  {
>              virReportError(VIR_ERR_INTERNAL_ERROR,
>                             _("cannot generate selinux context for %s"), mcs);

I've already pushed the same fix - I noticed it when i ran my selinux
label test case


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list